Re: Http header Rewrite ( Ip source address)

Hi Selim,

You can't rewrite the IP address of S-NAT because NAT would become useless and wouldn't make much sense have it in place... Tipically you configure S-NAT on one-arm mode configuration or also when the backend servers point their default gateway to a different L3 device that not necessarily needs to go through the ACE to send the response to the client, in a nutshell it avoids asymmetrical routing on the LB setup.

What you can do to preserve the real client IP address is have the ACE insert a new HTTP header usually called X-Forwarded-For, this is how the configuration should look like:

policy-map type loadbalance first-match HTTP

class class-default

serverfarm web

insert-http X-Forwarded-For header-value "%is"

Once you configured this the S-NAT ip address still is logged on the server but you also receive this new header with the original client ip address.

As per my experience there's no much problems to enable this logging on HTTP servers ( Apache) as you can enable it with a simple drop down but IIS needs to be configured with a ISAPI filter that you can find here

Re: Http header Rewrite ( Ip source address)

Hi Selim,

You can't rewrite the IP address of S-NAT because NAT would become useless and wouldn't make much sense have it in place... Tipically you configure S-NAT on one-arm mode configuration or also when the backend servers point their default gateway to a different L3 device that not necessarily needs to go through the ACE to send the response to the client, in a nutshell it avoids asymmetrical routing on the LB setup.

What you can do to preserve the real client IP address is have the ACE insert a new HTTP header usually called X-Forwarded-For, this is how the configuration should look like:

policy-map type loadbalance first-match HTTP

class class-default

serverfarm web

insert-http X-Forwarded-For header-value "%is"

Once you configured this the S-NAT ip address still is logged on the server but you also receive this new header with the original client ip address.

As per my experience there's no much problems to enable this logging on HTTP servers ( Apache) as you can enable it with a simple drop down but IIS needs to be configured with a ISAPI filter that you can find here

Topology & Design:
Overview:
Two ACI fabrics
Stretching VLANs using OTV
Both fabrics are advertising BD subnets into same routing domain
Some BDs(or say VLANs) are stretched, but some are not.
Endpoints can move betwee...
view more

Prerequisites
VMware Trunk Port Group is supported from ACI version 2.1
VMM integration must be configured properly
ASA device package must be uploaded to APIC
ASAv version must be compatible with ACI and device package version
Configuration
C...
view more

Topology &Design:Traffic flow within same fabric:Endpoint moves to Fabric-2Bounce Entry Times OutTraffic Black-holedSummarySolutionAppendix:
I. Introduction
In the Previous articles of ACI Automation, we are using Postman/Newman a...
view more